Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 3.4 Changing Your PasswordChapter 3
Users and Passwords		Next: 3.6 The Care and Feeding of Passwords
 

3.5 Verifying Your New Password

After you have changed your password, try logging into your account with the new password to make sure that you've entered the new password properly. Ideally, you should do this without logging out, so you will have some recourse if you did not change your password properly. This is especially crucial if you are logged in as root and you have just changed the root password.

Forcing a Change of Password

At one major university we know about, it was commonplace for students to change their passwords and then be unable to log into their accounts. Most often this happened when students tried to put control characters into their passwords.[7] Other times, students mistyped the password and were unable to retype it again later. More than a few got so carried away making up a fancy password that they couldn't remember it later.

[7] The control characters ^@, ^G, ^H, ^J, ^M, ^Q, ^S, and ^[ should probably not be put in passwords, because they can be interpreted by the system. If your users will log in using xdm, they should avoid all control characters, as xdm often filters them out. You should also beware of control characters that may interact with your terminal programs, terminal concentrator monitors, and other intermediate systems you may use. Finally, you may wish to avoid the # and @ characters, as some UNIX systems still interpret these characters with their use as erase and kill characters.

Well, once a UNIX password is entered, there is no way to decrypt it and recover it. The only recourse is to have someone change the password to another known value. Thus, the students would bring a picture ID to the computing center office, where a staff member would change the password to ChangeMe and instruct them to immediately go down the hall to a terminal room to do exactly that.

Late one semester shortly after the Internet worm incident, one of the staff decided to try running a password cracker (see Chapter 8) to see how many student account passwords were weak. Much to the surprise of the staff member, dozens of the student accounts had a password of ChangeMe. Furthermore, at least one of the other staff members also had that as a password! The policy soon changed to one in which forgetful students were forced to enter a new password on the spot.

Under SVR4, there is an option to the passwd command that can be used by the superuser: -f, (e.g., passwd -f nomemory). This forces the user to change his password during the login process the very next time he logs in to the system. It's a good option for system administrators to remember. (This behavior is the default on AIX. OSF/1 uses the chfn command for this same purpose.)

One way to try out your new password is to use the su command. Normally, the su command is used to switch to another account. But as the command requires that you type the password of the account to which you are switching, you can effectively use the su command to test the password of your own account.

%  su nosmis
password: mypassword 
%

(Of course, instead of typing nosmis and mypassword, use your own account name and password.)

If you're using a machine that is on a network, you can use the telnet or rlogin programs to loop back through the network and log in a second time by typing:

% telnet localhost 
Trying 127.0.0.1... 
Connected to localhost 
Escape character is '^]'   


artemis login: dawn 
password: techtalk 
Last login: Sun Feb 3 11:48:45 on ttyb 
%

You may need to replace localhost in the above example with the name of your computer.

If you try one of the earlier methods and discover that your password is not what you thought it was, you have a definite problem. To change the password to something you do know, you will need the current password. However, you don't know that password! You will need the help of the superuser to fix the situation. (That's why you shouldn't log out - if the time is 2 a.m. on Saturday, you might not be able to reach the superuser until Monday morning, and you might want to get some work done before then.)

The superuser (user root) can't decode the password of any user. However, the superuser can help you when you don't know what you've set your password to by setting your password to something else. If you are running as the superuser, you can set the password of any user, including yourself, without supplying the old password. You do this by supplying the username to the passwd command when you invoke it:

# passwd cindy
New password: NewR-pas 
Retype new password: NewR-pas 
#

Previous: 3.4 Changing Your PasswordPractical UNIX & Internet SecurityNext: 3.6 The Care and Feeding of Passwords
3.4 Changing Your PasswordBook Index3.6 The Care and Feeding of Passwords

[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]


Banner.Novgorod.Ru